John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Someone sent me an email with this link to the list of HIPAA breaches affecting 500 or more individuals. One of my popular searches on EMR and HIPAA is about HIPAA lawsuits, so you can imagine the lawyers are salivating over this list.

In a quick count, I found 31 on the list that were desktop, laptop, or other computer related device. In another quick count, I counted 46 on the list (feel free to correct my counts, but the range is right). The person who emailed me suggested that most of the list was breaches of EMR. I personally don’t think that’s the case.

One thing seems pretty certain. Technology has opened the doors for larger breaches. In the paper world, it’s a little harder to lose/misplace/steal 500 or more individuals information. It happens, but it’s much easier in the digital world. Plus, there’s a lot more vagueness in technology when a breach happens.

In the digital world, it’s often a best guess about what happened during a breach. Most of the time breaches happen in the technical world, they probably didn’t give a rip about the healthcare data. However, there’s the potential that they did, so you get to report it. Enough of that tangent.

One other problem with the assertion that most of this list is from an EMR breach is that I was surprised how many insurance providers were on the list. In fact, it seems like a large portion of the breaches were insurance lists probably. Not sure that’s an EMR breach.

I think it’s also interesting to note that this list of breaches is probably far below the reality. This is just the list of reported cases. I can’t imagine how many breaches happen that go unreported.

Of course, this begs the question of whether we should be moving to electronic records at all if there’s more possibility for breaches. My answer is that of course we should. Although, it should give us real pause as we consider the security of those systems as well. Stuff happens, but we shouldn’t put the possibility of breaches make us set aside the benefits of technology.

22 responses to "HIPAA Breaches Related to EMR"

John – Interestingly I had a very similar post on my blog today. I agree with you and suspect that most of these data breaches are not from EMRs. Most of the time you are not going to find EMR data sitting on a laptop, USB drive, etc. The data would be on the back-end server(s). You might have the client program installed on a laptop but unless there is a cached version of the data, there would be no EMR data on the laptop or desktop. There is a good chance that some of these are patient lists, spreadsheets, etc. That’s not to say that the data did not orginate from an EMR though.
On your point regarding insurance providers, I was equally surprised to see the amount of their data breaches. For more details on the Tennessee BCBS’ $7 million data breach check out http://bit.ly/cwqX6b

Is it really MORE breaches? How/where was this data measured prior to 2009’s requirement by HITECH? Does this take into consideration the fact the EMR has replaced paper in most major organizations? That is to say, it’s the same number (or less) breaches than these same groups had when they had racks full of paper charts.

We only see one side of the coin in this report. And it seems the report was made directly to monitor EMRs.

Agreed, I think it’d be much more obvious if a strange man with a cart loaded up on 500 charts down in Records thru repeated trips to his van. But a system I used to work for was sued about six years ago for not shredding records and putting them in a dumpster…

I’m just saying- people are already a little spooked by putting their important data into a system that they really don’t understand. As IT folks, we must be conscious to help abate that fear. One way is thru a sound comparison. The unIT will read this as EMRs are MORE dangerous than paper. But in reality, this report is just a list. It is not a comparison of paper breaches to EMR breaches over the last twenty years or the like.

How can we say More if there is nothing to put on the right side of the greater than symbol? 🙂

John, I see there are total of 56 breaches including private practices. When I did the count carefully, 16 are hard copies including Carle Clinic Assoc. counted twice in terms of EMR related & non EMR related – in comparison to 41 count which are EMR related. That’s how got the number 41 which includes the films.

Finally, breaches of EMR are 41 out of 56.
I thought I would share the statistics since this is one of the courses I did really well in college.

Jenny,
Thanks for looking at my counts more closely. I did a really rough count. My only question for you is how did you determine that it was EMR related? If it said workstation did you count that as EMR? Many of the computer, laptop, portable USB device, etc are certainly under the “technology” category, but many are not likely EMR. Any EMR worth its salt will store the EMR information on the server and not on an external device.

I knew it was EMR related even the servers included as well as CD because they are Electronic Medical Records and not hard copies. So I counted all those that had digital data (soft data) and excluded those that were mailings, postcards, other (miscellaneous) – unidentified, and paper records since they are hard data.

I see the confusion now. You’re defining EMR as “anything electronic copy of any medical data.” I was talking about EMR as “EMR software.” I guess I should have been more clear by what I meant. My point is that if you have an insurance list of patients then that is patient data stored electronically, but it’s not a reason not to implement an EMR because “EMR’s are insecure.” I hope that makes sense.

John, I found 33 on the list that includes desktops, laptops and computer related devices (Detriot Dept. of Health & Wellness Promotion) had two locations of breaches that were laptop & desktop computer counted twice.

There are 56 on the list overall.

Paper-based records require a significant amount of storage space and handwritten paper-based records could result in medical errors due to illegibility that should not be included until verified compared to digital records. Implementing an EMR system would be beneficial if it is cost effective and increases efficiency as well as taking measures into security.

John, I believe the #8 may be correct. When I went back to the list, I counted misdirected e-mails because those could come from EMR system with healthcare data as well as hard drive – EMR software installed & cached, network servers – back-end servers what Art Gross said and excluding “other” category.
There are a lot of possible breaches, but not EMR related.
I will add to the list of benefits if I come up with one.
This relates to me because my previous experience was working at a diagnostics company and had to comply with HIPAA regulations.

Btw, I have to mention that misdirected e-mails were probably not encrypted so all parties should have a policy to encrypt e-mails with sensitive data when transmitted to e-mail servers. So that’s why there’s a possibility of a breach occurred.

John, I was wondering if I could speak to you about a web base project that allow more efficient and safe collaboration amongst health care providers. I just completed the website and I am in testing phase. It would be great to have you look at it, but it is not ready for the national seen yet. Please contact me at your earliest convenience I don’t think you will be disappointed. Regards Corey

Is this considered a breach:
Patty is a medical assistant in a family practice office. She receives a phone call from Mrs. Smith, themother of one of the practice’s patients. Ms Smith’s is concerned about her 19 year old dauthter because her daughter has not been feeling well lately. Ms Smith daughter recently saw the doctor but did not share any of the information with her mom regarding the doctor’s findings. Ms Smith asks Patty to pull her daughter’s chart and to let her know what is wrong with her daughter.

From what you describe, there’s no breach. Patty only took the call and didn’t reveal any information. As long as Patty just says, I can’t give you any information, there’s no breach. Now if Patty gives information, that would be a breach, unless they had a release to talk with the mom. Patty should even avoid talking about whether Ms. Smith’s daughter did or did not come to the office.